Jump to content

Mexonizator

Forum Members
  • Posts

    13
  • Joined

  • Last visited

Everything posted by Mexonizator

  1. Итого. Все 3 ошибки удалось побороть, тоннель стабилен, полёт нормальный. 1. Видимо, ошибка вызывается НАТом на роутере (циска за ним), а также, возможно, его фишкой IPSEC ALG. Инициация соединения со стороны неё, а не Зухеля решило проблему. 05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:12ipsec 2. Галка Nailed-Up и trasnport mode во второй фазе вызывали разрывы тоннеля даже при успешной установке. 3. Ну и наконец. Оказалось, что эта ошибка возникает из-за слишком сильного шифрования при первой фазе. Кинетик банально не успевал выполнить шифрование при согласовании, и Циска отправляла повторные запросы. Что, в конечном счёте, и приводило к разрыву. Понижение шифра до 128 бит, и переход на SHA1 решило проблему. 10[IKE] retransmit 1 of request with message ID 0 Nov 10 13:15:20ipsec Всем спасибо, тему можно считать закрытой.
  2. TP-LINK RT480T+. У роутера этого есть фишка IPSEC ALG, которую я вырубил. Что характерно, особого эффекта не оказало. ЗЫ. Версия прошивки - скрытым постом.
  3. Тогда другой вопрос. Если IPSec загружает процессор под 100% при передаче данных, что можно сделать в этом случае?
  4. Добрый день. Поддерживает ли Keenetic III аппаратное шифрование? С чем связана следующая ошибка? (config)> crypto engine hardware Command::Base error[7405602]: engine: argument parse error. Спасибо!
  5. Вести с полей. Смена режима ВПН-ки с transport на tunnel убрало ошибку. Зато возник новый глюк. После первого запуска, ВПН-ка проработала некоторое время, а затем стала валиться в лог: Nov 14 19:22:12ipsec 05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:12ipsec 08[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:15ipsec 06[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:17ipsec 13[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:22ipsec 05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job По всей видимости, ошибка имеет отношение к НАТу, но непонятно, какое именно. Со стороны циски (т.е. между ней и тоннелем) НАТа нет. Причём, что характерно, перезапуск ВПН-ки не помог. Очевидно, что проблема как-то связана с сопоставлением со стороны НАТа. UPD: При запуске на следующий день, ВПН-ка снова без проблем поднялась и работает некоторое время. UPD2: Ошибка снова посыпалась, но, что интересно, данные пока продолжают ходить.
  6. Инициатор - зухель, который подрубается к циске. По поводу draft. Можно ли как-то обойтись без него? Self-test приложу следующим постом. Жаль, нет такой опции в настройках соединения.
  7. Добрый день! Собственно, как и следует из названия темы, устройство начинает пробрасывать тоннель, причём, по какой-то непостижимой причине, производится сразу несколько попыток. В результате, соединение успешно устанавливается в рамках одного из согласований, а затем благополучно дропается, т.к. другое не получает ответа от Циски и рубит по тайм-ауту. Что характерно, с самим соединений никаких проблем нет: пакеты ходят, компы друг друга видят, пингуют... Версия прошивки: v2.08(AAUU.4)C2 Версия Циски: 15.4 Логи Кинетика: Nov 10 13:15:01ipsec 06[MGR] ignoring request with ID 0, already processing Nov 10 13:15:08ipsec 16[IKE] remote host is behind NAT Nov 10 13:15:08ipsec 14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:15:08ipsec 14[CFG] selected peer config 'Test' Nov 10 13:15:08ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:15:08ipsec 14[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:15:08ipsec 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:15:08ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:15:08ipsec 14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:15:08ipsec 14[IKE] IKE_SA Test[4] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:15:08ipsec 14[IKE] scheduling reauthentication in 3573s Nov 10 13:15:08ipsec 14[IKE] maximum IKE_SA lifetime 3593s Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:15:08ipsec 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[IKE] CHILD_SA Test{2} established with SPIs c12ee9c8_i c20b83b1_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:15:08ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:15:08ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:15:08ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:15:11ipsec 10[IKE] retransmit 1 of request with message ID 0 Nov 10 13:15:20ipsec 08[IKE] retransmit 2 of request with message ID 0 Nov 10 13:15:30ipsec 10[IKE] retransmit 3 of request with message ID 0 Nov 10 13:15:41ipsec 09[IKE] retransmit 4 of request with message ID 0 Nov 10 13:15:52ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:16:05ipsec 10[IKE] retransmit 6 of request with message ID 0 Nov 10 13:16:20ipsec 09[IKE] retransmit 7 of request with message ID 0 Nov 10 13:16:35ipsec 16[IKE] retransmit 8 of request with message ID 0 Nov 10 13:16:52ipsec 12[IKE] giving up after 8 retransmits Nov 10 13:16:52ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:16:52ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:16:52ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:16:52ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:16:52ipsec 12[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:17:08ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:17:10ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:17:10ipsec 12[CFG] received stroke: unroute 'Test' Nov 10 13:17:10ipsec 13[CFG] received stroke: terminate 'Test{*}' Nov 10 13:17:10ipsec 16[IKE] closing CHILD_SA Test{2} with SPIs c12ee9c8_i (40144 bytes) c20b83b1_o (811908 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:17:10ipsec 16[IKE] sending DELETE for ESP CHILD_SA with SPI c12ee9c8 Nov 10 13:17:10ipsec 09[IKE] received DELETE for ESP CHILD_SA with SPI c20b83b1 Nov 10 13:17:10ipsec 09[IKE] CHILD_SA closed Nov 10 13:17:10ipsec 14[CFG] received stroke: terminate 'Test[*]' Nov 10 13:17:10ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:17:11ipsec 06[IKE] deleting IKE_SA Test[4] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:17:11ipsec 06[IKE] sending DELETE for IKE_SA Test[4] Nov 10 13:17:11ipsec 11[IKE] IKE_SA deleted Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:17:11ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:17:11ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:17:11ipsec 15[IKE] received Cisco Delete Reason vendor ID Nov 10 13:17:11ipsec 15[IKE] CISCO_IP is initiating an IKE_SA Nov 10 13:17:11ipsec 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 12[CFG] received stroke: initiate 'Test' Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" initialized. Nov 10 13:17:13ipsec 07[MGR] ignoring request with ID 0, already processing Nov 10 13:17:17ipsec 09[MGR] ignoring request with ID 0, already processing Nov 10 13:17:19ipsec 15[IKE] remote host is behind NAT Nov 10 13:17:19ipsec 16[IKE] initiating IKE_SA Test[6] to CISCO_IP Nov 10 13:17:20ipsec 14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:17:20ipsec 14[CFG] selected peer config 'Test' Nov 10 13:17:20ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:17:20ipsec 14[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:17:20ipsec 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:17:20ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:17:20ipsec 14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:17:20ipsec 14[IKE] IKE_SA Test[5] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:17:20ipsec 14[IKE] scheduling reauthentication in 3569s Nov 10 13:17:20ipsec 14[IKE] maximum IKE_SA lifetime 3589s Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:17:20ipsec 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[IKE] CHILD_SA Test{3} established with SPIs c96d5999_i 8d98ca14_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:17:20ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:17:20ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:17:20ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:17:32ipsec 11[IKE] retransmit 1 of request with message ID 0 Nov 10 13:17:41ipsec 07[IKE] retransmit 2 of request with message ID 0 Nov 10 13:17:50ipsec 05[IKE] retransmit 3 of request with message ID 0 Nov 10 13:18:01ipsec 13[IKE] retransmit 4 of request with message ID 0 Nov 10 13:18:13ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:18:26ipsec 15[IKE] retransmit 6 of request with message ID 0 Nov 10 13:18:40ipsec 13[IKE] retransmit 7 of request with message ID 0 Nov 10 13:18:55ipsec 16[IKE] retransmit 8 of request with message ID 0 Nov 10 13:19:13ipsec 14[IKE] giving up after 8 retransmits Nov 10 13:19:13ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:19:13ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:13ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:19:13ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:19:13ipsec 14[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:19:29ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:19:31ipsec 14[CFG] received stroke: unroute 'Test' Nov 10 13:19:31ipsec 08[CFG] received stroke: terminate 'Test{*}' Nov 10 13:19:31ipsec 16[IKE] closing CHILD_SA Test{3} with SPIs c96d5999_i (24735 bytes) 8d98ca14_o (68197 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:19:31ipsec 16[IKE] sending DELETE for ESP CHILD_SA with SPI c96d5999 Nov 10 13:19:31ipsec 13[IKE] received DELETE for ESP CHILD_SA with SPI 8d98ca14 Nov 10 13:19:31ipsec 13[IKE] CHILD_SA closed Nov 10 13:19:31ipsec 09[CFG] received stroke: terminate 'Test[*]' Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:31ipsec 10[IKE] deleting IKE_SA Test[5] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:19:31ipsec 10[IKE] sending DELETE for IKE_SA Test[5] Nov 10 13:19:31ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:19:31ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:19:32ipsec 12[CFG] received stroke: initiate 'Test' Nov 10 13:19:32ndm IpSec::Configurator: crypto map "Test" initialized. Nov 10 13:19:39ipsec 15[IKE] unable to create CHILD_SA while deleting IKE_SA Nov 10 13:19:39ipsec 05[IKE] IKE_SA deleted Nov 10 13:19:39ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:39ipsec 07[IKE] initiating IKE_SA Test[7] to CISCO_IP Nov 10 13:19:51ipsec 08[IKE] retransmit 1 of request with message ID 0 Nov 10 13:20:00ipsec 13[IKE] retransmit 2 of request with message ID 0 Nov 10 13:20:01ipsec 10[IKE] received Cisco Delete Reason vendor ID Nov 10 13:20:01ipsec 10[IKE] CISCO_IP is initiating an IKE_SA Nov 10 13:20:01ipsec 10[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:01ipsec 10[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:01ipsec 10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:03ipsec 14[MGR] ignoring request with ID 0, already processing Nov 10 13:20:06ipsec 16[MGR] ignoring request with ID 0, already processing Nov 10 13:20:09ipsec 10[IKE] remote host is behind NAT Nov 10 13:20:09ipsec 08[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:20:09ipsec 08[CFG] selected peer config 'Test' Nov 10 13:20:09ipsec 08[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:20:09ipsec 08[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:20:09ipsec 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:20:09ipsec 08[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:20:09ipsec 08[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:20:09ipsec 08[IKE] IKE_SA Test[8] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:20:09ipsec 08[IKE] scheduling reauthentication in 3567s Nov 10 13:20:09ipsec 08[IKE] maximum IKE_SA lifetime 3587s Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:20:09ipsec 08[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[IKE] CHILD_SA Test{4} established with SPIs cdeb3b19_i 00d56f15_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:20:09ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:20:09ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:20:10ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:20:10ipsec 05[IKE] retransmit 3 of request with message ID 0 Nov 10 13:20:20ipsec 15[IKE] retransmit 4 of request with message ID 0 Nov 10 13:20:32ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:20:45ipsec 08[IKE] retransmit 6 of request with message ID 0 Nov 10 13:20:48ndhcps _WEBADMIN: DHCPREQUEST received (STATE_SELECTING) for 192.168.10.45 from 74:04:2b:84:60:e8. Nov 10 13:20:48ndhcps _WEBADMIN: sending ACK of 192.168.10.45 to 74:04:2b:84:60:e8. Nov 10 13:20:59ipsec 16[IKE] retransmit 7 of request with message ID 0 Nov 10 13:21:15ipsec 15[IKE] retransmit 8 of request with message ID 0 Nov 10 13:21:32ipsec 13[IKE] giving up after 8 retransmits Nov 10 13:21:32ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:21:32ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:21:32ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:21:32ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:21:32ipsec 13[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:21:48ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:21:50ipsec 13[CFG] received stroke: unroute 'Test' Nov 10 13:21:50ipsec 07[CFG] received stroke: terminate 'Test{*}' Nov 10 13:21:50ipsec 15[IKE] closing CHILD_SA Test{4} with SPIs cdeb3b19_i (24726 bytes) 00d56f15_o (85210 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:21:50ipsec 15[IKE] sending DELETE for ESP CHILD_SA with SPI cdeb3b19 Nov 10 13:21:50ipsec 16[IKE] received DELETE for ESP CHILD_SA with SPI 00d56f15 Nov 10 13:21:50ipsec 16[IKE] CHILD_SA closed Nov 10 13:21:50ipsec 06[CFG] received stroke: terminate 'Test[*]' Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:21:50ipsec 08[IKE] deleting IKE_SA Test[8] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:21:50ipsec 08[IKE] sending DELETE for IKE_SA Test[8] Nov 10 13:21:50ipsec 05[IKE] IKE_SA deleted Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Спасибо!
×
×
  • Create New...